XMLFuzz - SOAP/XMLRPC Service Fuzzer


XML services are difficult to work with and often contain unexpected bugs. XMLFuzz was specifically designed to fuzz-test XML services such as XML-RPC (XML Remote Procedure Call), SOAP (Simple Object Access Protocol) and others.

Key Features

By subscribing to XMLFuzz you get the following awesome features:

  • Full support for XML fuzzing
  • Support for SOAP and XML-RPC
  • Fuzz support for External XML Entity Injection (XXE) attacks
  • Optional URL query and request headers fuzz stages
  • Test web apps even behind the perimeter firewall
  • Configurable fuzz payloads
  • Share vulnerabilities with team members
  • Exportable reports in HTML, CSV, XML and JSON
  • Integration with 3rd-party tools
  • Easy to use
  • Always available
  • Instantaneous updates

Fuzzing XML

XML-RPC and SOAP use XML as the core mechanism for transferring data in and out of the service. The structure of the XML document can very in complexity. For example a document may use custom namespaces, elements and deeply nested structure. XMLFuzz handles the entirety of XML with a breeze. The fuzzer is capable of walking down the complex nature of a XML document and produce abnormal input while preserving the semantics. Deeply nested document elements are well supported.

With XMLFuzz you can discover a wide range of issues from improper handling of input to XXE (XML External Entity) injection and much more.

Videos & Screenshots